# HG changeset patch # User Kim Alvefur # Date 1698247130 -7200 # Node ID e274431bf4ce91b3f561a36a81b186284d0bfd20 # Parent 0cffeff2cd1d7f9381c14d91ad6b13f9d382779d mod_http_status: Add IP allowlisting capabilities Based on mod_http_openmetrics diff -r 0cffeff2cd1d -r e274431bf4ce mod_http_status/README.md --- a/mod_http_status/README.md Wed Oct 25 15:36:20 2023 +0200 +++ b/mod_http_status/README.md Wed Oct 25 17:18:50 2023 +0200 @@ -13,3 +13,19 @@ } ``` +# Configuration + + +By default only access via localhost is allowed. This can be adjusted with `http_status_allow_ips`. The following example shows the default: + +``` +http_status_allow_ips = { "::1"; "127.0.0.1" } +``` + +Access can also be granted to one IP range via CIDR notation: + +``` +http_status_allow_cidr = "172.17.2.0/24" +``` + +The default for `http_status_allow_cidr` is empty. diff -r 0cffeff2cd1d -r e274431bf4ce mod_http_status/mod_http_status.lua --- a/mod_http_status/mod_http_status.lua Wed Oct 25 15:36:20 2023 +0200 +++ b/mod_http_status/mod_http_status.lua Wed Oct 25 17:18:50 2023 +0200 @@ -2,13 +2,29 @@ local json = require "util.json"; local datetime = require "util.datetime".datetime; +local ip = require "util.ip"; local modulemanager = require "core.modulemanager"; +local permitted_ips = module:get_option_set("http_status_allow_ips", { "::1", "127.0.0.1" }); +local permitted_cidr = module:get_option_string("http_status_allow_cidr"); + +local function is_permitted(request) + local ip_raw = request.ip; + if permitted_ips:contains(ip_raw) or + (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then + return true; + end + return false; +end + module:provides("http", { route = { GET = function(event) local request, response = event.request, event.response; + if not is_permitted(request) then + return 403; -- Forbidden + end response.headers.content_type = "application/json"; local resp = { ["*"] = true };